The ubiquity of GitHub in data expertise (IT) environments has made it a profitable alternative for menace actors to host and ship malicious payloads and act as useless drop resolvers, command-and-control, and information exfiltration factors.
“Utilizing GitHub providers for malicious infrastructure permits adversaries to mix in with respectable community site visitors, usually bypassing conventional safety defenses and making upstream infrastructure monitoring and actor attribution harder,” Recorded Future mentioned in a report shared with The Hacker Information.
The cybersecurity agency described the method as “living-off-trusted-sites” (LOTS), a spin on the living-off-the-land (LotL) methods usually adopted by menace actors to hide rogue exercise and fly underneath the radar.
Outstanding among the many strategies by which GitHub is abused relates to payload supply, with some actors leveraging its options for command-and-control (C2) obfuscation. Final month, ReversingLabs detailed quite a lot of rogue Python packages that relied on a secret gist hosted on GitHub to obtain malicious instructions on the compromised hosts.
Whereas full-fledged C2 implementations in GitHub are unusual compared to different infrastructure schemes, its use by menace actors as a useless drop resolver – whereby the data from an actor-controlled GitHub repository is used to acquire the precise C2 URL – is much more prevalent, as evidenced within the case of malware like Drokbk and ShellBox.
Additionally not often noticed is the abuse of GitHub for information exfiltration, which, per Recorded Future, is probably going attributable to file measurement and storage limitations and issues round discoverability.
Outdoors of those 4 principal schemes, the platform’s choices are put to make use of in numerous different methods to be able to meet infrastructure-related functions. As an example, GitHub Pages have been used as phishing hosts or site visitors redirectors, with some campaigns using a GitHub repository as a backup C2 channel.
The event speaks to the broader development of respectable web providers akin to Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, Trello, and Discord being exploited by menace actors. This additionally contains different supply code and model management platforms like GitLab, BitBucket, and Codeberg.
“There is no such thing as a common resolution for GitHub abuse detection,” the corporate mentioned. “A mixture of detection methods is required, influenced by particular environments and elements akin to the provision of logs, organizational construction, service utilization patterns, and threat tolerance, amongst others.”
